Computer Evidence Michael I. Shamos, Ph.D., J.D.

Computer Evidence Michael I. Shamos, Ph.D., J.D.
Institute for Software Research School of Computer Science Carnegie Mellon University LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

LAW OF COMPUTER TECHNOLOGY FALL 2018 © 2018 MICHAEL I. SHAMOS
Purpose of Evidence To prove facts. Evidence makes the existence of fact that is of consequence to the case either more or less probable than it would be without the evidence Matters of law Determined by the court, reviewable on appeal Example: “does fraud require the maker of a statement to know that it was false?” No evidence required Matters of fact Based on evidence, possibly opinion evidence Example: “did Mr. X send the threatening ”? Determined by the “trier of fact,” a judge or a jury Reviewable under the “clearly erroneous” standard LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Rules of Evidence Statutes that determine which evidence can be introduced, and under what conditions For federal courts, expressed in the Federal Rules of Evidence, enacted by Congress The FRE are a model, followed closely by most states, which have enacted the Uniform Rules of Evidence (URE), which closely track the Federal Rules of Evidence Pennsylvania has not enacted the URE LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Relevance Relevant evidence is “evidence having any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence.” (FRE 401) Only relevant evidence is admissible Why? Irrelevant evidence has no purpose and can be distracting, uneconomical and misleading Evidence that is not “of consequence to the determination” is immaterial and not admissible LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

“Incompetent, Irrelevant and Immaterial”
Sometimes in legal TV shows you hear an attorney object to evidence as “incompetent, irrelevant and immaterial.” These mean three different things. “Incompetent” means evidence that does not qualify as proof of an otherwise relevant fact. Example: someone who did not see a car accident tries to testify to the speed of the cars Example: An unqualified expert witness “Irrelevant” means “not tending to prove or disprove a material fact. “Immaterial” means not “of consequence to the determination” – it doesn’t matter one way or the other LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Types of Evidence Real/Tangible A thing involved in the underlying event (e.g. a weapon, document, or other item) Testimonial Statements by a witness under oath. The trier relies on W’s interpretation of W’s sensory data, memory, etc. Demonstrative Visible items that illustrate some material proposition about the case (e.g. a map, chart, crime scene photo, summary, computer simulation) SOURCE: JEREMIAH FRYE LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Direct v. Circumstantial
Evidence which, if believed, automatically resolves an issue in the case Example: A is sued for copyright infringement of music. W testifies he saw A copying the music on B’s computer. (Copying is an element of infringement – it’s an issue in the case) Circumstantial Evidence which, even if believed, requires reasoning or inference to resolve the issue Example: B is charged with murdering A. W testifies he saw A copying music on B’s computer. (Copying is not an element of murder. It might inferentially establish motive.) LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Different Standards of Proof
In each case one party or another must prove its claim according to an specific “standard of proof” “Likelihood of success” The lowest standard of proof Used in issuing preliminary injunctions Substantial probability, but not necessarily > 50% “Preponderance of the evidence” The usual civil standard “More likely than not” that each element of the cause of action has been established LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Standards of Proof “Clear and convincing evidence” “substantially more likely than not” that the required elements are present An elevated civil standard often used to prove fraud, overcome a presumption or overturn a government action “Beyond a reasonable doubt” (in the mind of a reasonable person) The criminal standard Each element of the crime must be proven beyond a reasonable doubt The highest standard of proof LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Standards of Proof Compared
LIKELIHOOD OF SUCCESS PREPONDERANCE OF THE EVIDENCE CLEAR AND CONVINCING EVIDENCE BEYOND A REASONABLE DOUBT NOTE: EXCEPT FOR PREPONDERANCE (>50%), PERCENTAGES ARE NOT PRECISELY DEFINED LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Authentication Required
“The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” FRE 901 Without authentication, evidence is inadmissible unless self-authenticating, e.g. statutes, newspapers. “Ancient documents or data compilation. Evidence that a document or data compilation, in any form, (A) is in such condition as to create no suspicion concerning its authenticity, (B) was in a place where it, if authentic, would likely be, and (C) has been in existence 20 years or more at the time it is offered.” FRE 901(b)(8).

“Best Evidence” Rule “To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress.” FRE 1002 A duplicate of the original is ordinarily permitted, but not oral testimony or other documents referring to the original The “best evidence” rule is very limited. It does not mean that the best evidence must be used to prove each element of the case It also has exceptions, e.g. if the original no longer exists LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Computer “Best Evidence” Rule
If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original’” and is admissible. FRE 1001(d) This rule is relied upon heavily in computer litigation since electronic evidence is often transferred to different media before presentation in court The computer best evidence rule was enacted in Pennsylvania SOURCE: JEREMIAH FRYE LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Sutherlin v. State of Indiana 784 N.E.2d 971 (Ind. Ct. App. 2003)
Sutherlin robbed Price outside a bank in Indianapolis Brissey witnessed the last 15 seconds of the crime before Sutherlin got away The police showed Price a computer-generated array of 500 mug shots. Price picked Sutherlin with 70-80% certainty The police showed Brissey a computer-generated array of 6 photos, including Sutherlin’s. Brissey identified Sutherlin Indiana is a Uniform Rules of Evidence state LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Sutherlin v. State of Indiana
At trial, the state could not produce the Brissey array but offered another computer-generated array showing the same six photographs. It was admitted. Sutherlin was convicted of robbery On appeal, he said the photo array was a “writing or photograph” subject to the best evidence rule. Without the original, a copy should not have been admitted. The appeals court upheld the conviction because the state produced “other output readable by sight” and Sutherlin did not contest its accuracy It would have been different if Brissey had been shown paper photographs! Then originals would be required! LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Uniform Photographic Copies of Business and Public Records As Evidence Act (UPA)
Enacted in Pennsylvania. Modifies best evidence rule Original business records, e.g. a signed receipt, may be destroyed if a copy is made by a “process which accurately reproduces or forms a durable medium for so reproducing the original,” including digital processes Such a reproduction, when satisfactorily identified, is as admissible in evidence as the original itself in any judicial or administrative proceeding whether the original is in existence or not and an enlargement or facsimile of such reproduction is likewise admissible in evidence if the original reproduction is in existence and available for inspection under direction of the court.

Hearsay A “statement” is (1) an oral or written assertion or (2) nonverbal conduct of a person, if it is intended by the person as an assertion. A “declarant” is a person who makes a statement. “Hearsay” is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted. LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Hearsay or Not? A testifies that B told A, “I sold my car last week.” This is hearsay if offered to prove that B sold his car It is NOT hearsay if offered to prove that A and B had a conversation A orders some goods from B over the Internet but doesn’t pay for them. B sues A and offers a printout of a database record showing the transaction. The data is hearsay if offered to prove that A ordered from B It is not hearsay if offered to prove that B has an online order entry system LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

The Hearsay Rule “Hearsay is not admissible unless any of the following provides otherwise: a federal statute; these rules; or other rules prescribed by the Supreme Court.” FRE 802. There are MANY exceptions to the Hearsay Rule, applicable when there is reason to believe that the hearsay is trustworthy Example: records kept in the “ordinary course” of business (the “business records” exception) Why? Business owners have an interest in keeping accurate records All evidence can be challenged if admitted. LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

The Hearsay Flowchart

Business Records Exception
Admissible: “Records of regularly conducted activity.” “A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record, or data compilation, all as shown by the testimony of the custodian or other qualified witness … unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness. The term "business" as used in this paragraph includes business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit.” FRE 801 LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Computer Records Computer records may or may not be hearsay Contents of records with assertions attributed to a person and presented as evidence may be hearsay Computer records generated without human involvement (i.e., internally generated by the computer, like event logs) are not hearsay The records still require authentication SOURCE: PETER STEPHENSON LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Computer Searches As Evidence
Justin Ross Harris left his 2-year-old son Cooper locked in a hot car for hours Cooper died The police seized Harris’s computers Before the death, Harris and his wife searched on Google for information about death in hot cars and what temperature was needed for death Before the death, Harris discussed with family member insurance policies he had on his son’s life Harris was charged with murder Was the Google search evidence admissible at trial? Was the conversation about insurance admissible? LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Justin Ross Harris Case
Harris was convicted of murder by a jury in November 2016 after weeks of trial and four days of deliberation He was sentenced to life in prison + 34 years, with no possibility of parole, but given credit for 2 years already served He filed an appeal – no decision yet. LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

F.R.E. 902(13), (14) (13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person … [is self-authenticating]. (14) Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person … [is self-authenticating]. LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Federal Rules of Evidence
Notes of Advisory Committee regarding 902(14) “digital identification” “Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by ‘hash value.’ A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.” LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

When Can Police Seize Evidence?
4th Amendment to the U.S. Constitution (also made applicable to the states by the 14th amendment): “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Without a warrant, a seizure will likely be invalid, unless the police witnessed the crime LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

United States v. Mark Albert Rettenmaier (C.D. Cal. 2017)
Rettenmaier is a California Rettenmaier sent his computer to Best Buy for repair Best Buy sent it to its national repair shop in Brooks, Kentucky (“Geek Squad City”) The technicians found 800+ images of underage naked girls Best Buy called the Federal Bureau of Investigation (FBI). The FBI pays Best Buy $500 for porno tips Based on the computer images, the FBI applied for, and obtained, a warrant to search Rettenmaier’s house The FBI found many more such images in the house LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Indictment

Indictment, pronounced “in-DITE-ment”
U.S. Constitution, 5th Amendment: No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of war or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; [double jeopardy] nor shall be compelled in any criminal case to be a witness against himself, [self-incrimination] nor be deprived of life, liberty, or property, without due process of law; [due process] nor shall private property be taken for public use, without just compensation. [eminent domain]

Grand Jury v. Regular (Petit) Jury
Regular (petit = “small”) jury. Group of citizens chosen to find facts in a particular case. Petit jury usually 6-12 people Grand jury both investigates and accuses (but does not determine guilt or innocence). Can sit for months. Only decides whether a person should be tried for a crime Grand juries exist ONLY IN THE U.S. AND LIBERIA Grand jury usually people, mostly 23 The prosecutor brings an indictment (accusation) against a person to the grand jury Grand jury decides whether the person should be tried LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

18 U.S.C. § 2252A(a) (5) (B) CHAPTER TITLE: SEXUAL EXPLOITATION AND OTHER ABUSE OF CHILDREN Any person who— knowingly possesses, or knowingly accesses with intent to view, any book, magazine, periodical, film, videotape, computer disk, or any other material that contains an image of child pornography that has been mailed … shall be punished as provided in subsection (b) Fine + 10 years in prison Second offense: Fine years in prison LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

18 U.S.C. § 2256 (Definitions) (8) “child pornography” means any visual depiction, including any photograph, film, video, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, of sexually explicit conduct, where— (A) the production of such visual depiction involves the use of a minor engaging in sexually explicit conduct; (B) such visual depiction is a digital image, computer image, or computer-generated image that is, or is indistinguishable from, that of a minor engaging in sexually explicit conduct; or (C) such visual depiction has been created, adapted, or modified to appear that an identifiable minor is engaging in sexually explicit conduct.

U.S. v. Rettenmaier The FBI’s warrant application contained false statements While the images showed naked girls, they were not “child pornography” as defined by the statute Also, the computer images were in a “deleted files” area, meaning that Rettenmaier may not have intended to send them to Best Buy The images found in the house WERE child pornography The judge found that the warrant was unjustified and refused to allow evidence found in the house to be used LAW OF COMPUTER TECHNOLOGY FALL © 2018 MICHAEL I. SHAMOS

Major Ideas Evidence is crucial to proving facts
Evidence must be relevant, material and reliable Admissibility of evidence is controlled by a complex set of “rules of evidence” Hearsay is a statement (oral or written) made out of court that is offered as evidence that the fact stated is true Hearsay is not admissible unless permitted by an exception Most business records are hearsay, but admissible under the business records exception Evidence improperly obtained by the government may not be used at trial

Computer Evidence Michael I. Shamos, Ph.D., J.D.

Similar presentations

Presentation on theme: "Computer Evidence Michael I. Shamos, Ph.D., J.D."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Computer Evidence Michael I. Shamos, Ph.D., J.D.

Similar presentations

Presentation on theme: "Computer Evidence Michael I. Shamos, Ph.D., J.D."— Presentation transcript:

Similar presentations

About project

Feedback